sensu.sensu_go.ad_auth_provider – Manage Sensu AD authentication provider
Note
This plugin is part of the sensu.sensu_go collection (version 1.12.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install sensu.sensu_go
.
To use it in a playbook, specify: sensu.sensu_go.ad_auth_provider
.
New in version 1.10.0: of sensu.sensu_go
Synopsis
Create, update or delete a Sensu Go AD authentication provider.
For more information, refer to the Sensu Go documentation at https://docs.sensu.io/sensu-go/latest/operations/control-access/ad-auth/.
Requirements
The below requirements are needed on the host that executes this module.
python >= 2.7
Parameters
Parameter |
Comments |
---|---|
Authentication parameters. Can define each of them with ENV as well. |
|
The API key that should be used when authenticating. If this is not set, the value of the SENSU_API_KEY environment variable will be checked. This replaces auth.user and auth.password parameters. For more information about the API key, refer to the official Sensu documentation at https://docs.sensu.io/sensu-go/latest/guides/use-apikey-feature/. |
|
Path to the CA bundle that should be used to validate the backend certificate. If this parameter is not set, module will use the CA bundle that python is using. It is also possible to set this parameter via the SENSU_CA_PATH environment variable. |
|
The Sensu user’s password. If this is not set the value of the SENSU_PASSWORD environment variable will be checked. This parameter is ignored if the auth.api_key parameter is set. Default: “P@ssw0rd!” |
|
Location of the Sensu backend API. If this is not set the value of the SENSU_URL environment variable will be checked. Default: “http://localhost:8080” |
|
The username to use for connecting to the Sensu API. If this is not set the value of the SENSU_USER environment variable will be checked. This parameter is ignored if the auth.api_key parameter is set. Default: “admin” |
|
Flag that controls the certificate validation. If you are using self-signed certificates, you can set this parameter to ONLY USE THIS PARAMETER IN DEVELOPMENT SCENARIOS! In you use self-signed certificates in production, see the auth.ca_path parameter. It is also possible to set this parameter via the SENSU_VERIFY environment variable. Choices:
|
|
The prefix added to all AD groups. |
|
The Sensu resource’s name. This name (in combination with the namespace where applicable) uniquely identifies the resource that Ansible operates on. If the resource with selected name already exists, Ansible module will update it to match the specification in the task. Consult the name metadata attribute specification in the upstream docs on https://docs.sensu.io/sensu-go/latest/reference/ for more details about valid names and other restrictions. |
|
An array of AD servers for your directory. |
|
The AD account that performs user and group lookups. If your sever supports anonymous binding, you can omit the user_dn or password attributes to query the directory without credentials. |
|
Password for the user_dn account. If your sever supports anonymous binding, you can omit this attribute. |
|
The AD account that performs user and group lookups. If your sever supports anonymous binding, you can omit this attribute. |
|
Path to the certificate that should be sent to the server if requested. |
|
Path to the key file associated with the client_cert_file. Required if client_cert_file is present. |
|
Enables UPN authentication when set. The default UPN suffix that will be appended to the username when a domain is not specified during login (for example, user becomes user@defaultdomain.xyz). |
|
Search configuration for groups. |
|
Used for comparing result entries. Default: “member” |
|
Which part of the directory tree to search. |
|
Represents the attribute to use as the entry name. Default: “cn” |
|
Identifies the class of objects returned in the search result. Default: “group” |
|
AD server IP address. |
|
If true, the group search includes any nested groups a user is a member of. If false, the group search includes only the top-level groups a user is a member of. Choices:
|
|
Skips SSL certificate verification when set to true. Choices:
|
|
AD server port. |
|
Encryption type to be used for the connection to the AD server. Choices:
|
|
Path to an alternative CA bundle file. |
|
Search configuration for users. |
|
Used for comparing result entries. Default: “sAMAccountName” |
|
Which part of the directory tree to search. |
|
Represents the attribute to use as the entry name. Default: “displayName” |
|
Identifies the class of objects returned in the search result. Default: “person” |
|
Target state of the Sensu object. Choices:
|
|
The prefix added to all AD usernames. |
See Also
See also
- sensu.sensu_go.auth_provider_info
The official documentation on the sensu.sensu_go.auth_provider_info module.
- sensu.sensu_go.ldap_auth_provider
The official documentation on the sensu.sensu_go.ldap_auth_provider module.
- sensu.sensu_go.oidc_auth_provider
The official documentation on the sensu.sensu_go.oidc_auth_provider module.
Examples
- name: Create a AD auth provider
sensu.sensu_go.ad_auth_provider:
name: activedirectory
servers:
- host: 127.0.0.1
group_search:
base_dn: dc=acme,dc=org
user_search:
base_dn: dc=acme,dc=org
- name: Delete a AD auth provider
sensu.sensu_go.ad_auth_provider:
name: activedirectory
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Object representing Sensu AD authentication provider. Returned: success Sample: {“groups_prefix”: “AD”, “metadata”: {“name”: “activedirectory”}, “servers”: {“binding”: {“user_dn”: “cn=binder,dc=acme,dc=org”}, “client_cert_file”: “/path/to/ssl/cert.pem”, “client_key_file”: “/path/to/ssl/key.pem”, “default_upn_domain”: “example.org”, “group_search”: {“attribute”: “member”, “base_dn”: “dc=acme,dc=org”, “name_attribute\u0027”: “cn”, “object_class”: “group”}, “host”: “127.0.0.1”, “insecure”: “False”, “port”: “636”, “security”: “tls”, “trusted_ca_file”: “/path/to/trusted-certificate-authorities.pem”, “user_search”: {“attribute”: “sAMAccountName”, “base_dn”: “dc=acme,dc=org”, “name_attribute”: “displayName”, “object_class”: “person”}}, “username_prefix”: “AD”} |
Authors
Aljaz Kosir (@aljazkosir)
Manca Bizjak (@mancabizjak)
Miha Dolinar (@mdolin)
Tadej Borovsak (@tadeboro)